Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Hunt for a new trojan

By hstink in Internet
Wed Sep 03, 2003 at 11:37:39 AM EST
Tags: Security (all tags)
Security

Labour Day was going pretty typically for me.  I slept in, ate some breakfast and sat down at the computer to see how far a TV show I was downloading had progressed.

For some reason though, my upload speed wasn't the constant value I'd set it at, but fluctuating wildly like something was competing for bandwidth.  I opened up the invaluable TCPView and found to my horror that I was spewing out spam at around 2 or 3 messages per second.

Warning: Technical mumbo jumbo ahead.


Needless to say, I quickly stopped the outgoing emails, tracked down the sod who was sending the spam to me for relaying, and fired off an email to his ISP explaining what that IP address was doing to my PC.  In 22 minutes I received a reply saying the IP had been nullrouted, and it still is to this moment.  I was extremely impressed.

So then I started hunting for the trojan in all the usual places, but turned up nothing.  My process list looked normal.  The only symptom was explorer.exe listening on randomized ports every time it was started.  Had someone finally written a trojan that lived its life as a DLL shell extension?

I searched and searched, but I couldn't find a way to discover which child DLL of explorer.exe was initiating the listening connections.  It was certainly out of my league.  This is my only computer, so I decided that I'd have to connect to the internet to get help, and plugged back in.  Immediately explorer.exe started communicating with something.. a new IP!  I still haven't figured out how it found this new IP to talk to after the spammer got nullrouted.  Regardless, I now had the chance to get some decent network tools, and logged everything that was sent.

I started searching around IRC channels for anyone that could help me track down the bug.  None of the current virus scanners, trojan removers or malware scanners found anything, so I assumed I had something new.  I eventually found my way to #security on Freenode, still not exactly sure what I should do.  Eventually someone had the great idea to perform a search on the IP that I was now a slave to, and lo and behold:

The Query.

The Culprit.

Apparently the ISP in question has been rather lax about this rogue machine.  My email to abuse@ev1.net hasn't been answered yet.

Sure enough I found the wthunk32.dll file on my computer.  Some more investigation uncovered:

The DLL is loaded via this registry key:

[HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/ShellServiceObject DelayLoad]
"OLE Automation Module" = "{3F143C3A-1457-6CCA-03A7-7AA23B61E40F}"

The contents of that CLSID are, unsurprisingly:

[HKEY_CLASSES_ROOT/CLSID/{3F143C3A-1457-6CCA-03A7-7AA23B61E40F}/InProcServer32]
@Default = "C:/WINNT/System32/wthunk32.dll"
"ThreadingModel" = "Apartment"

Upon searching for other files on my system modified at the same time wthunk32.dll was, all I found was msdos.exe - residing in C:/.  It's still a mystery to me as to where it came from, but after unpacking msdos.exe it appears to be nothing more than a PECompact-compressed installer for wthunk32.dll and its associated registry keys.

I still have no idea how I became infected in the first place, nor do I know how a seemingly static trojan picks its master machine to communicate with - registry and file scans didn't uncover any obvious storage of the IP address in question.

In case anyone is interested, I can supply the msdos.exe and wthunk32.dll files upon request.  If you think you're infected, this is what my copies look like:

msdos.exe - 13,312 bytes - MD5:52fb0d9c5135add96796458a386b545f
wthunk32.dll - 14,848 bytes - MD5:3b75aeeef612c88b1527de86506efe09

I unpacked msdos.exe with UnPECompact 1.32, which gave:

unpacked.exe - 39,796 bytes - MD5:623a084909f5f69ad7bd21fa1a27c0b0

I have no idea how far spread this trojan is, how much spam is being spewed out by it or when popular anti-virus / anti-trojan programs will recognize it.  I do know however that I will be making an angry phone call or two to ev1.net tomorrow.

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o TCPView
o The Query
o The Culprit
o UnPECompac t 1.32
o Also by hstink


Display: Sort:
Hunt for a new trojan | 99 comments (83 topical, 16 editorial, 0 hidden)
Some extra details (4.92 / 13) (#1)
by hstink on Wed Sep 03, 2003 at 06:30:10 AM EST

This is one of the command packets that my PC requested from the server:

Time/Date(02:29:41/03.09.2003)        Protocol/Number(TCP/6)
Source(64.246.60.83)            Destination(66.20.125.180)
Source Port (80)    Destination Port (3004)    Sequential Number (3726118)    ACK Number (4677209)

          01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18

  1.     45 00 01 1b 2a 7d 40 00 2d 06 e5 4e 40 f6 3c 53 42 14     E...*}@.-.åN@ö<SB.<br>
  2.     7d b4 00 50 0b bc 2c ca 3b 26 43 3f 6e 59 50 18 16 d0     }´.P.¼,Ê;&C?nYP..Ð
  3.     75 42 00 00 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f     uB..HTTP/1.1 200 O
  4.     4b 0d 0a 44 61 74 65 3a 20 57 65 64 2c 20 30 33 20 53     K..Date: Wed, 03 S
  5.     65 70 20 32 30 30 33 20 31 39 3a 33 38 3a 31 36 20 47     ep 2003 19:38:16 G
  6.     4d 54 0d 0a 53 65 72 76 65 72 3a 20 41 70 61 63 68 65     MT..Server: Apache
  7.     2f 31 2e 33 2e 32 37 20 28 55 6e 69 78 29 20 20 28 52     /1.3.27 (Unix)  (R
  8.     65 64 2d 48 61 74 2f 4c 69 6e 75 78 29 20 6d 6f 64 5f     ed-Hat/Linux) mod_
  9.     73 73 6c 2f 32 2e 38 2e 31 32 20 4f 70 65 6e 53 53 4c     ssl/2.8.12 OpenSSL
  10.     2f 30 2e 39 2e 36 62 20 44 41 56 2f 31 2e 30 2e 33 20     /0.9.6b DAV/1.0.3
  11.     50 48 50 2f 34 2e 31 2e 32 20 6d 6f 64 5f 70 65 72 6c     PHP/4.1.2 mod_perl
  12.     2f 31 2e 32 36 0d 0a 58 2d 50 6f 77 65 72 65 64 2d 42     /1.26..X-Powered-B
  13.     79 3a 20 50 48 50 2f 34 2e 31 2e 32 0d 0a 43 6f 6e 6e     y: PHP/4.1.2..Conn
  14.     65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 43 6f 6e     ection: close..Con
  15.     74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74     tent-Type: text/ht
  16.     6d 6c 0d 0a 0d 0a 4e 4f 54 48 49 4e 47                    ml....NOTHING
Every 2nd or 3rd command would be "BEGINV1i    IDLE" instead of "NOTHING".  I didn't get the chance to capture the traffic that was actively spamming.  These command packets are requested from the server by the zombie every 6 minutes and 40 seconds.

While the spam relaying was occurring, I also noticed a large amount of activity on the RPC ports.  This seemed very strange to me, since as far as Microsoft is concerned I'm running a fully patched Win2k box.  Perhaps this is how this new IP address discovered that I was a zombie.

I didn't divulge the IP that was nullrouted after my complaint in the story, but subsequent searches revealed that it belonged to a rather unsavoury outfit, so I'm not too hesitant anymore.  Here is the query that uncovered the kind of things they were up to before being cut off.

And big thanks to #security on Freenode as well, I'd probably still be searching if it weren't for them.

people come here to discuss, not crapflood. /nt (1.19 / 26) (#35)
by ninja rmg on Wed Sep 03, 2003 at 04:48:18 PM EST





[ Parent ]
feh, again (4.60 / 5) (#36)
by eudas on Wed Sep 03, 2003 at 04:56:09 PM EST

http://www.sinfest.net/d/20030316.html

eudas
"We're placing this wood in your ass for the good of the world" -- mrgoat
[ Parent ]

indeed. does sir... (1.15 / 13) (#40)
by ninja rmg on Wed Sep 03, 2003 at 05:26:31 PM EST

endorse the posting of debugging output then? i daresay he must if he calls the post in question not a crapflood.



[ Parent ]
not a crapflood (4.33 / 6) (#44)
by eudas on Wed Sep 03, 2003 at 05:42:26 PM EST

given that the article is about the tracking of this thing, and that debugging output may assist, this post is on-topic. obviously if everybody does it just to say "this is what I got", then it somewhat turns into more of a crapflood; however, this is the only post of this type in this article.

eudas
"We're placing this wood in your ass for the good of the world" -- mrgoat
[ Parent ]

indeed. fascinating. (1.11 / 9) (#49)
by ninja rmg on Wed Sep 03, 2003 at 06:39:35 PM EST

of course, i will keep all of this in mind.



[ Parent ]
Not Crap (4.57 / 7) (#46)
by 0xA on Wed Sep 03, 2003 at 06:09:22 PM EST

This is a packet.

This adds to the discussion. By reading the packet I now know that this code recives instructions from another host and how it recives them.

Your inability to understand what you are seeing does not make it crap.

[ Parent ]

your 1337 sk1llz does not make it useful. (1.15 / 19) (#48)
by ninja rmg on Wed Sep 03, 2003 at 06:31:52 PM EST

the fact is, not everyone here is a ComputerGenious. more than that, many of us don't give a rat's ass about this guy's problems. as such, this is not an interesting piece of information. it is analogous to posting compiler output results when attempting to compile an article.

the fact that this conveys nothing to quite possibly the majority of the readers, coupled with its space filling nature, makes it a crapflood by any sensible definition.

HTH. HAND.



[ Parent ]

then why... (3.75 / 4) (#50)
by darqchild on Wed Sep 03, 2003 at 07:14:45 PM EST

... did you read, and even comment, on an article that you do not understand, or have any interest in?  Some of us do find this useful.  Nobody made you read it.  You could have ignored it and read some article that you found more interesting.

~~~
Death is God's way of telling you not to be such a smartass.
[ Parent ]
i am trying to fight a trend. (1.26 / 19) (#51)
by ninja rmg on Wed Sep 03, 2003 at 07:35:05 PM EST

this article, whether you understand it or not, is a poor article. it consists of some anecdotes about what this guy did when he found a virus on his machine and some text from various diagnostics. it was voted up immediately (which amazes me) despite its being little more than some logs and some hand waving about how this may be a new kind of virus or whatever.

if this site continues this way, its standards will continue to deteriorate and the state we are currently in will deepen.



[ Parent ]

it seems to me.... (3.75 / 4) (#54)
by joeyo on Wed Sep 03, 2003 at 09:27:40 PM EST

It seems to me that you are the only one crapflooding here, Mr. Ninja. Now begone from this place! Crawl back into the hole from whence you came before I envoke the ka5al on your ass!

/joeyo

--
"Give me enough variables to work with, and I can probably do away with the notion of human free will." -- Parent ]

ninja rmg, nice troll! (1.00 / 1) (#93)
by Ta bu shi da yu on Sat Sep 06, 2003 at 11:39:56 AM EST

Incidently to all who replied: YHBT. YHL, HAND.

Yours humbly,
Ta bù shì dà yú

---
AdTIה"the think tank that didn't".
ה
[ Parent ]

He who is without sin (3.50 / 6) (#55)
by richarj on Wed Sep 03, 2003 at 10:33:45 PM EST

can cast the first stone. The comment fits perfectly in with the article. Unlike most of your comments.

"if you are uncool, don't worry, K5 is still the place for you!" -- rusty
[ Parent ]
K5 rule #74: (5.00 / 2) (#80)
by mcgrew on Thu Sep 04, 2003 at 07:23:56 PM EST

Learn who the trolls are. YHBT, einstien.

"The entire neocon movement is dedicated to revoking mcgrew's posting priviliges. This is why we went to war with Iraq." -LilDebbie
[ Parent ]

Oh, quit whining. (none / 0) (#90)
by TwistedGreen on Fri Sep 05, 2003 at 03:22:55 PM EST

Don't you have anything better to do?  Talk about a crap flood...

--- Somewhere, just out of sight, the gnomes are gathering.
[ Parent ]
+1FP, WRAP THAT WEASEL!! /nt (1.50 / 14) (#2)
by RandomLiegh on Wed Sep 03, 2003 at 06:30:20 AM EST



---
Thought of the week: There is no thought this week.
---
Cracking profits (4.40 / 5) (#3)
by bsimon on Wed Sep 03, 2003 at 06:51:13 AM EST

I guess this is what happens when there's real money to be made from cracking Windows. Evil, hard-to-detect exploits, with no patch to stop them.

At the moment, most viruses and trojans out there exploit known, patched vulnerabilities in Windows. The cracker can find blueprints for new exploits courtesy of Bugtraq (or support.microsoft.com). Downside is, patches usually exist for these vulnerabilities. So many machines are already patched, and those that aren't can be patched quickly.

But in this case, someone has actually gone to the effort of locating a brand new vulnerability, with a potentially much longer life span - because they can actually make money from their work. The money comes from spammers, of course.

How long will it take for Microsoft to patch this? Or is it possible to block at the firewall?

By the way, did you notice which fine, upstanding companies were taking advantage of this innovative new marketing channel?

you have read my sig

New vulnerability? (4.33 / 3) (#84)
by piranha jpl on Fri Sep 05, 2003 at 01:36:27 AM EST

But in this case, someone has actually gone to the effort of locating a brand new vulnerability...
Says who?  We don't know that the author hasn't made a mistake such as executing a trojan horse bundled with another piece of software.  Or it could be a vulnerability in a non-OS part of the system, one that would be much less obvious to check for security-related updates.  An everyday program like an IM program or an image viewer could have such a vulnerability in it.

Unfortunately, this incident occurred on a machine that wasn't already heavily monitored--that is, wasn't a honeypot, so there's only so much post-mortem information that can be recovered.  If the trojan/shellcode/whatever was well-designed, it could have completely covered itself up.



- J.P. Larocque
- Life's not fair, but the root password helps. -- BOFH

[ Parent ]
Yep (4.00 / 1) (#86)
by hstink on Fri Sep 05, 2003 at 02:55:36 AM EST

There are any number of possible infection vectors - end user stupidity or unknown vulnerabilities are both in there.

All I know for sure is that McAfee had no record of this file existing before yesterday, so until it shows up on someone else's more-prepared machine we might never know how it gets there.  I'm sure some interesting information could be gleaned from the zombie masters, but I don't know whether their boxes were physically hosted by their ISPs or not.

[ Parent ]

Compromised servers and spam (4.69 / 13) (#4)
by ocelotbob on Wed Sep 03, 2003 at 06:55:10 AM EST

Fascinating read. I hope you've done all the prudent steps, such as forwarding a copy of the trojan in question to the major AV makers so that their gurus can poke and prod the code, and put its signature into their products. Also, I've got to commend you on not just wiping the system, as you were able to save the trojan, thus allowing it to be looked at.

Though this whole episode is a real shame that someone has wasted their talents. The spammer in question seems to be a fairly competent network programmer, someone who more than likely could really code some damn interesting applications. Instead, they're coding scummy apps designed to hijack legitimate users' computers. Damn shame

Why... in my day, the idea wasn't to have a comfortable sub[missive]...
--soylentdas

Let me get this straight. (2.32 / 28) (#8)
by Ta bu shi da yu on Wed Sep 03, 2003 at 08:20:00 AM EST

You effectively have a compromised box and it's spitting out spam that may be infecting more machines. Because you have only one PC you hook it back up to the Internet to get more tools to diagnose the problem.

So you reconnected a compromised box that's basically spewing crap out across the Internet and potentially infecting other PCs. How irresponsible is that??

Yours humbly,
Ta bù shì dà yú


---
AdTIה"the think tank that didn't".
ה

If you want to be a troll on K5 (2.75 / 12) (#13)
by Tex Bigballs on Wed Sep 03, 2003 at 09:35:36 AM EST

you have to pay the union initiation fees. Sorry no exceptions

[ Parent ]
Already paid the startup fee. (2.40 / 5) (#15)
by Ta bu shi da yu on Wed Sep 03, 2003 at 09:46:19 AM EST

Look, I had a talk with A Proud American ages back and we decided to let things slide.

Yours humbly,
Ta bù shì dà yú


---
AdTIה"the think tank that didn't".
ה
[ Parent ]

Be careful (2.75 / 4) (#16)
by x10 on Wed Sep 03, 2003 at 10:05:31 AM EST

If they catch you trolling without a license, they'll confiscate your biters.

---YOUR ZEROES ONLY MAKE ME STRONGER---
[ Parent ]

Hi (4.78 / 14) (#22)
by hstink on Wed Sep 03, 2003 at 12:22:12 PM EST

You do know that firewalls can block outgoing connection attempts?  I prevented all malicious access attempts once I realised what was happening, and was watching all network traffic in realtime.

I have already had 2 people disconnected/investigated for acting as zombie masters thanks to the extra traffic I was able to log/inspect after reconnecting, but I suppose the responsible thing to do was wipe my computer and forget it happened?

[ Parent ]

Then your story wasn't so crash hot, was it then? (1.25 / 4) (#64)
by Ta bu shi da yu on Thu Sep 04, 2003 at 04:44:49 AM EST

I see nowhere in the story where you wrote this.

Yours humbly,
Ta bù shì dà yú

---
AdTIה"the think tank that didn't".
ה
[ Parent ]

Dont... (1.40 / 5) (#78)
by mcgrew on Thu Sep 04, 2003 at 07:19:57 PM EST

Don't yer libaree's have confoozers in em en yer part uf Arkansaw?

He's right, you know your PC is sending out spam and viruses, but you're too fucking lazy to drive to the damned library?

They need to revoke your computer license! Jesus Christ, no wonder the virus problem is bad.

vil X's machine is owned by the latest (every wednesday MS has a new list of holes) but shit, she's a fucking moron. What's your excuse?

"The entire neocon movement is dedicated to revoking mcgrew's posting priviliges. This is why we went to war with Iraq." -LilDebbie
[ Parent ]

Well (5.00 / 4) (#82)
by hstink on Thu Sep 04, 2003 at 11:23:00 PM EST

While we do have libraries here in SC, I don't have a floppy drive and the library doesn't have a CD burner.  Since I was intent on solving this issue sooner rather than later, I booted unplugged and screened all outbound connections until I had determined which IPs and processes to block outright.

And as of tonight, our spamming friend at 64.246.60.83 has been taken offline.  That's 2 zombie masters that now have no way to communicate with their zombies for quite some time (random listening ports and a hard-coded master, remember), and I think they'd still be online if it weren't for my actions.  While it's hardly a dent in the overall problem of spam, I'm quite happy with the last couple of days' work, particularly for a spam-tracking virgin such as myself.  McAfee will be adding detection for this trojan to their DATs as of tomorrow I've been told, which should remove many more zombies via auto-update before the spammers move shop and port-scan their known zombies to get spamming again.

[ Parent ]

I don't understand the explorer listening part (2.66 / 3) (#9)
by phred on Wed Sep 03, 2003 at 08:23:36 AM EST

how do connections make it past your firewall, unless you explicitely set up port forwarding to the box that has the explorer listeners?

I'd take a wild guess... (4.75 / 4) (#17)
by zipper on Wed Sep 03, 2003 at 10:47:22 AM EST

... and say that the wthunk32.dll is getting 'injected' into the explorer.exe process... which has the added benefit of keeping the trojan invisible from task manager.

As an aside, are there any *legitimate* uses for those wacky win32 api calls for creating a thread in a remote process, and allocating and manipulating memory in another process? That just seems like asking for trouble to me.

---
This account has been neutered by rusty and can no longer rate or post comments. Way to go fearless leader!
[ Parent ]
Yep (5.00 / 1) (#24)
by hstink on Wed Sep 03, 2003 at 12:29:46 PM EST

All network access is spawned by explorer.exe, and I still haven't found a firewall that can pinpoint which child DLL of a parent process is responsible for the sockets.

I'm trying to submit the virus to AV makers, they sure make it difficult though.

[ Parent ]

FWIW (4.50 / 2) (#26)
by awgsilyari on Wed Sep 03, 2003 at 01:12:52 PM EST

As an aside, are there any legitimate uses for those wacky win32 api calls for creating a thread in a remote process, and allocating and manipulating memory in another process? That just seems like asking for trouble to me.

It is asking for trouble, but UNIX is no more secure. On UNIX you have the ptrace(2) system call, which you can use to edit memory and set registers in a different process. By using the foreign process's stack as a temporary working area, you can pretty easily create "trampolines" and cause the process to execute arbitrary code.

ptrace(2) was invented for debugging purposes, and I assume that the similar features of Win32 are also there for debugging purposes. Unfortunately, I know of no standard way to disable a process from being ptrace()'d on UNIX (although some UNIX flavors support it through a nonportable interface). I don't know anything about Win32, so I don't know if it's possible to disable this "feature" there.

--------
Please direct SPAM to john@neuralnw.com
[ Parent ]

suid executables can't be ptraced [n/t] (4.50 / 2) (#28)
by vadim on Wed Sep 03, 2003 at 01:46:30 PM EST


--
<@chani> I *cannot* remember names. but I did memorize 214 digits of pi once.
[ Parent ]
So? (3.00 / 1) (#32)
by awgsilyari on Wed Sep 03, 2003 at 04:40:42 PM EST

Whoops, I posted the reply in the wrong spot.

--------
Please direct SPAM to john@neuralnw.com
[ Parent ]
D'oh, I'm stupid (none / 0) (#39)
by awgsilyari on Wed Sep 03, 2003 at 05:02:37 PM EST

Now I understand that you're pointing out a portable method for disabling ptrace() :-) Sorry. You're right.

--------
Please direct SPAM to john@neuralnw.com
[ Parent ]
So what? (3.66 / 3) (#29)
by awgsilyari on Wed Sep 03, 2003 at 01:54:47 PM EST

What makes you think you need root in order to do interesting things covertly on a box?

If you want a spam zombie embedded into another process, there's no reason you need root for that. As long as it binds to a high port number you are okay, and you don't need root to make connections out.

This whole "UNIX is immune because it has a user-based security model" is garbage.

--------
Please direct SPAM to john@neuralnw.com
[ Parent ]

eggdrop, the next generation? (3.00 / 1) (#34)
by eudas on Wed Sep 03, 2003 at 04:48:03 PM EST

this kinda reminds me of people cracking shell accounts so they can install/setup eggdrop bots, except it's being used to forward spam instead of take over irc channels.

eudas
"We're placing this wood in your ass for the good of the world" -- mrgoat
[ Parent ]

This is obvious... (none / 0) (#43)
by Vesperto on Wed Sep 03, 2003 at 05:38:27 PM EST

...but the post you replied to wasn't saying "UNIX rules" but rather "Windows sucks". Actually, "a specific part of Windows happens to suck". Besides, as far as i know the poster can be using OSX or some other operating system. You know, the others, besides Win and Uni?
</sarcasm>

If you disagree post, don't moderate.
[ Parent ]
Don't read to much into it. (none / 0) (#53)
by awgsilyari on Wed Sep 03, 2003 at 08:40:06 PM EST

I comment within the realm of my limited experience. No more to it than that.

--------
Please direct SPAM to john@neuralnw.com
[ Parent ]
i just wanted to point out... (2.02 / 46) (#20)
by ninja rmg on Wed Sep 03, 2003 at 11:40:24 AM EST

since this is about to make it to the front page or at least section, that this is not an article. it is a diary entry and a boring one at that.

some guy's computer was compromised. he noticed it. he took some steps to figure out what was going on. he is still searching for the real killer.

honestly people, have a little self-respect. you do not deserve to have this kind of crap on your front page. do you realize that people will read this and think that stories like this are acceptable articles? that didn't occur to you when you voted, did it?

it is one thing to post bad articles that you know won't get voted up. it is quite another to post bad articles that will. the author of this is partially responsible for the slipping standards on k5. for shame.

in the future, do your part. don't vote for crap like this and don't let crap like this make it out of voting if you are the author.

HTH. HAND.



Let's look at the alternatives (3.14 / 7) (#21)
by Silent Chris on Wed Sep 03, 2003 at 11:53:10 AM EST

Massive flooding of the submission queue most nights.  Crapflooding of the diaries.  When a story does get posted, it's usually about politics or food (or a combination of the two).

I gladly welcome this story.  Maybe it's a completely new infection, maybe not, but at least it's better than the alternatives.

[ Parent ]

Well (4.40 / 5) (#23)
by hstink on Wed Sep 03, 2003 at 12:26:33 PM EST

We've been able to verify that it is "new" in the sense that AV makers haven't identified it yet.

I was initially planning on a Diary, but it's pretty obvious that the more eyes there are looking at a problem, the more possible leads or similar infections will be opened up.

And yes I know it's a boring read - it's about a search for a 14 KB trojanized shell extension - how many people can get passionate about that?

[ Parent ]

OMFG !!!! (1.46 / 15) (#33)
by ninja rmg on Wed Sep 03, 2003 at 04:42:49 PM EST

you mean it is more recent than the last version/patch of most anit-virus programs ??? holy living fuck !!!

my god, this new infection will likely destroy us all !!! no computer is safe from this spam distributing scourge !!!

no one will be spared !!! the readers of this site must act as the defenders of computer users everywhere !!!!

IF NO ONE ELSE DOES, WHO WILL ????



[ Parent ]

If you don't want to read this "crap"... (none / 0) (#73)
by bwcbwc on Thu Sep 04, 2003 at 01:29:16 PM EST

Then don't click on the hyperlink. You're just bored and jaded because the article didn't tell you anything you didn't already know, or maybe you're just trying to troll the author because he uses UUindouus.

Obviously you have more expertise in this area than most K5 readers, because you're one of the few complaining about the article being redundant and simplistic. Why don't you write an article of your own and share this knowledge instead of throwing expletives around like they were semen, with no real content behind them.

It's not impossible for the rest of us less TCP/IP-experienced folks going to learn "how to" trace trojans like this if nobody is allowed to post articles detailing their experiences, but it's much more interactive and effective if they do. I'd much prefer to read an individual's recent experience than  to read theoretical instructions in a book or software docs, which are probably outdated anyway.

[ Parent ]

it's idiocy like this that is destroying this site (1.72 / 18) (#25)
by ninja rmg on Wed Sep 03, 2003 at 12:46:33 PM EST

the alternative is not crapflooding, genius. the alternative is decent articles.

this article, whether it is a new infection or not, provides very little information beyond the measures this guy has taken to figure out what's up with it and where amongst his files this infection is.

do you argue that because the author claims it might be a new infection that it deserves attention? if it is a new infection, does that make it interesting? do you want an article about every new virus and worm that comes out?

you should think more carefully before you respond and before you vote.



[ Parent ]

Funny... (3.33 / 3) (#63)
by Ta bu shi da yu on Thu Sep 04, 2003 at 04:40:34 AM EST

... people were saying the same thing about when you were crapflooding the queue. I especially remember a story that you posted about your journey to the shops to buy a pack of chips (which I thought was great, btw).

Let's face it, 136 people thought that this was worthwhile as an article and 61 of them voted it to the front page. As a story it's not too bad, even if it probably might have been better in the diary section.

Now stop complaining and go back to trolling!

Yours humbly,
Ta bù shì dà yú

---
AdTIה"the think tank that didn't".
ה
[ Parent ]

And your contribution to the diary section? (none / 0) (#62)
by Ta bu shi da yu on Thu Sep 04, 2003 at 04:35:28 AM EST

The Great K5 Troll Trap.

Wow! such insight!

Yours humbly,
Ta bù shì dà yú

---
AdTIה"the think tank that didn't".
ה
[ Parent ]

You thought about why K5 exists? (4.00 / 2) (#66)
by TVoFin on Thu Sep 04, 2003 at 05:59:29 AM EST

IMHO, people read k5 because there are articles which interest them. They also vote for articles that interest them. Clearly you belong to a minority; a loud one, in that.

If an article does not interest you, skip it. If you don't want to see articles that don't interest you, vote them down while in voting. If you don't like the system, don't read K5. Simple enough?

IB, life, sleep -- pick any two. --Anonymous IB senior.
[ Parent ]

Agreed (none / 1) (#77)
by mcgrew on Thu Sep 04, 2003 at 07:13:24 PM EST

Maybe I should resubmit "Jeff's unhackable computer?"

"The entire neocon movement is dedicated to revoking mcgrew's posting priviliges. This is why we went to war with Iraq." -LilDebbie
[ Parent ]

Agreed (none / 1) (#79)
by mcgrew on Thu Sep 04, 2003 at 07:20:07 PM EST

Maybe I should resubmit "Jeff's unhackable computer?"

"The entire neocon movement is dedicated to revoking mcgrew's posting priviliges. This is why we went to war with Iraq." -LilDebbie
[ Parent ]

So what ? (2.14 / 35) (#27)
by chbm on Wed Sep 03, 2003 at 01:42:31 PM EST

You use windows. You got owned like 90% of the windows users this last couple of weeks. Is this news ?

-- if you don't agree reply don't moderate --
Ironically (2.66 / 9) (#30)
by Golden Hawk on Wed Sep 03, 2003 at 03:30:12 PM EST

-- if you don't agree reply don't moderate --

Very sound advice. Apparently advice 'locke baron', and 'joschi' were simply incapable of understanding.

Certianly "You got owned is this news?" isn't very constructive at all, but it certiantly doesn't desrve to be marked down to the level of obnoxious trolls or morons.

It gets a two from me.
-- Daniel Benoy
[ Parent ]

Sure it does (2.00 / 10) (#31)
by joecool12321 on Wed Sep 03, 2003 at 03:34:31 PM EST

"it certiantly doesn't desrve to be marked down to the level of obnoxious trolls or morons."

Obnoxious trolls get 0s. Morons get 1s. I don't see the problem.

And the whole "Reply don't moderate" is dumb because it fails to realize that moderation is a form of reply.

[ Parent ]

<sigh> <eyeroll> (1.50 / 2) (#38)
by Golden Hawk on Wed Sep 03, 2003 at 05:00:06 PM EST

And the whole "Reply don't moderate" is dumb because it fails to realize that moderation is a form of reply.

<huff> Very well. "If you disagree, reply as a post. Don't moderate"
-- Daniel Benoy
[ Parent ]

How about (5.00 / 2) (#57)
by ZorbaTHut on Thu Sep 04, 2003 at 12:06:03 AM EST

if I do both?

If I think it's not a very worthwhile comment, I mark it down. If I think it's a great comment, I mark it up.

On a completely unrelated note, if I have something to say, I reply. If I don't, I don't.

The two are mostly unrelated, except that usually I don't have anything to say to really pointless comments.

[ Parent ]

Re: How about (1.00 / 1) (#59)
by Golden Hawk on Thu Sep 04, 2003 at 02:02:36 AM EST

"if I do both?"

Yes that would be acceptable.
-- Daniel Benoy
[ Parent ]

ones for morons. (1.42 / 7) (#41)
by ninja rmg on Wed Sep 03, 2003 at 05:28:22 PM EST

indeed.



[ Parent ]
like (2.81 / 11) (#42)
by auraslip on Wed Sep 03, 2003 at 05:29:50 PM EST

you know that one movie where that guy used his ipod to connect to the alien mother ship and upload a virus through tcip

this is the same thing
only this time those sneaky fucking aliens are getting us back
___-___

Dll tracer (4.50 / 2) (#45)
by onyxruby on Wed Sep 03, 2003 at 05:56:03 PM EST

Have your tried using a dll tracer like Dependancy Walker on it?

The moon is covered with the results of astronomical odds.

Use a local system firewall (5.00 / 1) (#47)
by fencepost on Wed Sep 03, 2003 at 06:10:24 PM EST

Like Kerio Personal Firewall (Additional details , and more) and lock the rules down fairly tight.

In my case I use a local filtering proxy (Privoxy) for Web browsing, plus I use Mozilla. That proxy is allowed to go pretty much anywhere it requests, but Mozilla itself is only allowed to go "freely" to local ports (since it uses them for internal communication), the local proxy, and 443 for https connections - Kerio prompts for permission for anything else. IE is not allowed to go anywhere without prompting for permission.

Basically I have the rules set up like this:

  • All local-only communications are allowed unless explicitly blocked
  • SecureCRT is allowed to go outbound on port 22 (SSH)
  • Mozilla is allowed to go outbound on port 443 (https)
  • DNS is allowed
  • Hamster (local Usenet server, similar to 'suck') is allowed to go out for NNTP and mail
  • Trillian is allowed to go out pretty much unrestricted
  • Inbound stuff is generally completely disallowed
  • etc.
Anything not otherwise specified pops up a prompt with information on the application and destination (for outbound) or originating IP and port (for inbound). Some items are simply disallowed and don't even prompt.

It also tracks for application replacement - when you add an application rule, it grabs an MD5sum of the app and compares it later - if the executable file is replaced, you'll get asked whether to accept the change or not (if not, outbound traffic is simply blocked). It's not foolproof since things like replaced DLLs will still get through, but it's at least a start.

--
"...when it appears, it is always equipped for the seeker's needs. Dobby has used it, sir," said the elf, dropping his voice and looking guilty, "when

Personal Firewalls... (4.00 / 2) (#70)
by zipper on Thu Sep 04, 2003 at 07:17:16 AM EST

... don't work. At least, there's no reason to rely on them. Assuming for a moment that something does get onto your pc, for whatever reason. Ignoring for the moment that most people blindly click "Ok" when they're prompted to allow or deny traffic, nothing stops the malicious app from faking user input and clicking OK. Nothing stops it from modifying your rules. Nothing stops it from modifying an allowed process in memory, because the file itself will still pass the checksum.

This is why you want dedicated machines for important tasks. You don't want one compromised process to allow control of everything. The firewall *should* be a dedicated piece of hardware.

---
This account has been neutered by rusty and can no longer rate or post comments. Way to go fearless leader!
[ Parent ]
What are you talking about? (5.00 / 1) (#75)
by fencepost on Thu Sep 04, 2003 at 06:48:31 PM EST

I suppose I could set up virtual machines and use one for email, one for web browsing, one for word processing, one for coding, etc. but really it seems like a waste.

In addition, a hardware firewall does me exactly zero good against outbound connections from my system. I want to keep IE from connecting to any remote sites without explicit permission from me, but I want to let my local filtering proxy go whereever it wants. What version of TCP/IP are you running where an identifier for the originating application is sent along with data packets, and where can I find a network that uses it?

So, addressing your points in order:

  • Personal firewalls....don't work - that's an incredibly broad assertion, and all I can do is disagree with you
  • Assuming for a moment that something does get onto your pc, for whatever reason. - Something like a new and as-yet-unpatched exploit against Mozilla?
  • Ignoring for the moment that most people blindly click "Ok" when they're prompted to allow or deny traffic, - You go right ahead, but I'm not doing that and if the firewall's been configured well then no normal behavior should trigger it and most invalid behavior should be silently blocked (little things like only allowing specific applications to initiate outbound SMTP connections).
  • nothing stops the malicious app from faking user input and clicking OK - "Because it's not 100% effective we're not going to use it - I'd rather have 50 worms sending email from my system than use an incomplete solution and block only 49 of them."  Besides, the day I see a worm that's well enough written to look for permission prompts from different firewall vendors is the day I'll think it might become an issue.
  • Nothing stops it from modifying your rules. - The day I see a worm that's well enough written to look for rule configurations from different firewall vendors, rewrite and reload them is the day I'll think it might become an issue.
  • Nothing stops it from modifying an allowed process in memory - Absolutely true, but getting even farther-fetched. Under an OS with decent interprocess protection, rewriting a process in memory will generally mean that it exploited a hole in the application running in that process - cross process rewriting of memory will generally be both well beyond the capabilities of worm writers and significant overkill since if they have the OS-level capability to modify other processes why not just do your work from the process you're already running in?
  • This is why you want dedicated machines for important tasks - Absolutely, but we're not talking about hardened dedicated machines. We're talking about systems that people are using directly for general-purpose computing on a daily basis.
  • The firewall should be a dedicated piece of hardware. - Only viable if you are using dedicated systems - it makes sense to block everything except SMTP from your mail server, it doesn't make sense to use hardware the same way for general-use PCs. A firewall can be very good at blocking inbound attacks, but is much less effective at blocking outbound ones from compromised systems. I'm generally NATed behind a hardware firewall, but I don't have to go to a hardware user interface (text or GUI) on it (and not available via network) to authorize each outbound connection.

--
"...when it appears, it is always equipped for the seeker's needs. Dobby has used it, sir," said the elf, dropping his voice and looking guilty, "when
[ Parent ]
I'm talking about... (none / 0) (#83)
by zipper on Fri Sep 05, 2003 at 12:14:20 AM EST

... moving the firewall to a separate machine, where it can't be modified. The problem with having all your eggs in one basket is that when the machine is compromised, you lose everything. If the firewall is a separate piece of hardware, you have to compromise two machines to do anything useful.

Modifying a process in memory is much easier than you seem to think. Using handy win32 api routines like CreateRemoteThread, VirtualAllocEx, and WriteProcessMemory, and permissions >= what the target process is running as, you can inject the code of your choice into it. It's called DLL injection, I already mentioned it in another comment.

Aside from making connections 'from' valid processes, you could do something as blunt as killing the firewall process. There's a lot of malware that already does that with antivirus programs, is it really a stretch to have them start killing firewall apps as well?

---
This account has been neutered by rusty and can no longer rate or post comments. Way to go fearless leader!
[ Parent ]
"If all you have is a hammer...." (5.00 / 1) (#91)
by fencepost on Fri Sep 05, 2003 at 05:16:24 PM EST

There are times when a separate firewall is appropriate, but for the situation described in this story a hardware firewall would very likely have been completely ineffective.

Odds are good that the trojan got onto the system using holes in either IE or another client application, though it's possible that it was a self-spreading worm that looked for open services.  The main argument against it being a worm is its behavior - if it is a worm it's a very slow spreader that nobody's noticed the attacks from yet, which seems odd since the file dates are apparently from mid-August. If it's spreading via IE holes on the other hand its distribution would be limited to people who've visited some probably-small set of sites that are distributing it which would explain the lack of information about it. Regardless of the specific client in question though, a hardware firewall will almost certainly be ineffective to prevent system compromise in this situation.

Once the system is compromised, a hardware firewall might be effective depending on the nature of the compromise. If the malware is a true trojan that opens the system for remote exploits by acting as a local server then a hardware firewall would prevent inbound connections to the ports the malware is monitoring; in this situation it would not be effective since the malware in question was acting as a client application and initiating connections itself. A hardware firewall that blocks all my outbound traffic on ports 25 and 80 is an active annoyance to me; any security measure that must be disabled for me to use my PC isn't a security device - it's an off switch.

Finally, while it's possible that a worm/trojan/malware application will take steps to disable firewall and antivirus software, the actual risks involved are fairly low based on risk = potential damage * probability. In other words, while the negative effect of software doing that would be relatively high the probability of it happening is low - smaller than the probability that a system without a software firewall will be exploited.
--
"...when it appears, it is always equipped for the seeker's needs. Dobby has used it, sir," said the elf, dropping his voice and looking guilty, "when
[ Parent ]

security is a layered approach (none / 0) (#94)
by darkonc on Sat Sep 06, 2003 at 02:14:18 PM EST

One of the rules of security experts is: Presume that any one layer will fail entirely. As such you're much better off to have layered security -- remote firewall, local firewall and then an intrusion detection system and anything else you can think of (including user education).

As an example, on my system, I have both a hardware firewall (BSD); a local firewall; I run Linux rather than windows and I have tripwire installed on the system. On top of that, I STILL look for other signs of breakin.

Remote hardware firewalls are (should be) a lot harder to break into (well, presuming that they don't have bugs/backdoors of their own) , but local firewals and/or anti-virus systems can look for things that firewalls won't notice. Trojan systems, for example, aren't necessarily going to be recognized by a remote firewall -- especially if they're transferred over an encrypted connection (ssl, or ssh, for example). Once a virus is installed, the outbound connection to the controlling system may look quite legitimate to the firewall (outbound port 80, for example).

So hardware firewalls are neither useless nor the be-all and end-all. They simply provide a different kind of protection than local security software can -- and both is better than either alone.
Killing a person is hard. Killing a dream is murder. : : : ($3.75 hosting)
[ Parent ]

I remember the day... (3.50 / 4) (#56)
by faustus on Wed Sep 03, 2003 at 11:27:36 PM EST

...I was owned too. My computer was feeling a little slower than normal so I did a "netstat -a" and found a couple connections that probably weren't supposed to be there.

The one thing that no one can own... (4.42 / 7) (#60)
by anthonyr on Thu Sep 04, 2003 at 03:28:37 AM EST

The lights on the hub. No matter how good they are, if they're spamming thousands of people from your computer, the lights on the hub are going to be blinking like crazy.

It's a useful indicator, like taking a pulse. When it started blinking like mad last time, turns out it was because of the worm. I'm all patched and firewalled, so I wasn't infected, but all the pings lit it up like an xmas tree and prompted me to check the firewall logs right away.

It can't be an exclusive, or even entirely accurate indicator of what's going on, but anyone that ignores it does so at their peril.

---

Schlock

DUMeter (none / 0) (#76)
by fencepost on Thu Sep 04, 2003 at 06:54:03 PM EST

If you're running on Windows DUMeter may also be worth looking at - I have a small running graph in the bottom right corner of my screen, "Always On Top," showing inbound and outbound traffic. If I notice significant outbound traffic and don't know what's causing it I can shut down networking or just yank the network connection very quickly.

--
"...when it appears, it is always equipped for the seeker's needs. Dobby has used it, sir," said the elf, dropping his voice and looking guilty, "when
[ Parent ]
dude (1.00 / 2) (#61)
by circletimessquare on Thu Sep 04, 2003 at 03:37:36 AM EST

get yourself zone alarm, it's free ;-)

The tigers of wrath are wiser than the horses of instruction.

SoBig (4.00 / 1) (#71)
by elemental on Thu Sep 04, 2003 at 10:42:35 AM EST

Sounds like yet another variation of SoBig, which has been doing this sort of thing for months.

--
I love my country but I fear my government.
--> Contact info on my web site --


SoWhat (2.00 / 3) (#92)
by Ta bu shi da yu on Sat Sep 06, 2003 at 11:28:15 AM EST

I want them to make a virus called this. I run Linux. Nyah nyah!

I am l337!

Yours humbly,
Ta bù shì dà yú


---
AdTIה"the think tank that didn't".
ה
[ Parent ]

Don't run as an admin. (4.00 / 10) (#72)
by kanin on Thu Sep 04, 2003 at 01:19:52 PM EST

Don't run as an admin.  Don't run as an admin.  Don't run as an admin.

Make it your mantra.  Make it your goal.  Make it your reason for being.

Programs do work.  Life does go on.  Your machine is far less likely to get infected.

Why would not running as an admin have solved this?

  1. msdos.exe would not have been able to save itself to the root.
  2. if it were able to save itself it would not have been able to extract to %windir%system32.
  3. if it had done #1 and #2 it would not have been able to adjust the registry settings necessary to load the plug-in (because you can only write to HKCU - not HKLM or HKCR).
I don't run as an admin (or otherwise over-privilaged user) on any Windows machines.  If I need to install something I'll use runas or terminal services to remote in as a local admin.  

I can write/debug software, use any productivity application you can name, play most games (most I want to play anyway - I've never found one I couldn't play), etc.  Very rarely do I encounter a situation where I need to be admin - and more then once I've protected myself from accidently doing something stupid.

No amount of firewall, anti-virus software or patching will protect a user who downloads crap (knowingly or not) and allows it to run as a privilaged user.

nothing.

nada.

it's your own fault.

learn the lesson and take yourself out of the admin group.


Good advice (4.00 / 2) (#74)
by hstink on Thu Sep 04, 2003 at 03:36:06 PM EST

Unless the infection comes via a remote exploit in a system-level service, like RPC or IPSEC.  Running outside of the Admin group doesn't stop the rest of the OS from going about its business.

I guess you could deny the LocalSystem account all write access to your hard drive and registry, but I'm not sure what the consequences would be.

[ Parent ]

You can do it (4.00 / 1) (#81)
by onyxruby on Thu Sep 04, 2003 at 07:48:36 PM EST

You can do it. It'll immeadiately step on it's own dick and die, but it works. I had an instructor some years back who did this to make a point. On the flip side your system is royally hosed and your not going to use the system anytime soon.

The moon is covered with the results of astronomical odds.
[ Parent ]

True, but it's not as bad as that either (none / 0) (#88)
by kanin on Fri Sep 05, 2003 at 10:05:43 AM EST

More and more services are running with reduced privilages (not Local System) and more and more that do run at Local System are running with least privilage - actually rejecting privilages so that even if they were exploited the available privilages would be reduced.

Good example is in Writing Secure Code (2nd) chapter 7 (page 246, specifically).

There will always be something that runs with high privs.  But if you reduce the number of things running there you increase your ability to verify your systems integrity and raise the bar to attack.


[ Parent ]

Won't always save you (none / 0) (#85)
by 0xA on Fri Sep 05, 2003 at 01:59:44 AM EST

Just using your examples:

msdos.exe would not have been able to save itself to the root.

By default it would. You can of couse put file permisions on the root

# if it were able to save itself it would not have been able to extract to %windir%system32.

I don't really think this matters. Unless you can't load a shell extension that isn't in %windir%system32, I'm not sure about that. There is no reason a program stored elsewhere on the disk couldn't be started.

# if it had done #1 and #2 it would not have been able to adjust the registry settings necessary to load the plug-in (because you can only write to HKCU - not HKLM or HKCR).

Again this would stop it from loading a shell extension but there is always HKCU\Software\microsoft\CurrentVersion\Run

This particular little nasty wouldn't have worked unless it installed as an admnistrator but you could build something similar that would work as a user.

It is still a good pratice but it won't save you.

[ Parent ]

Yeah ... nothing is a silver bullet. (none / 0) (#89)
by kanin on Fri Sep 05, 2003 at 10:14:59 AM EST

> You can of couse put file permisions on the root

Right - that would be stupid.  But people would do it.  And they would feel safe even though they had a large degree of whatever safety they might have had.

> I don't really think this matters. Unless you can't load a shell extension that isn't in %windir%system32,

I would bet money the virus had "c:windowssystem32" hardcoded into it.  Just like many script kiddies are foiled by not hosting IIS out of "c:inetpub".  It's not about being 100% fool-proof, it's about raising the bar sufficently high that script kiddies and casual attacks won't succeed.

> HKCUSoftwaremicrosoftCurrentVersionRun

Right - and I ACL'd that too.  Only the admin can put anything in my HKCU...Run[Once] - and I don't run as admin :)

But you were making a point - not nailing every specific instance of exposure.

Yes - there are many places where you could still be bitten.

Running as a non-admin user won't save me from everything but it will prevent entire classes of attacks from being successful against my machine simply because the assumptions the author made were not valid in a moderately more secure environment.

[ Parent ]

ˇ This Is What Happens When One Uses WinTels ! (1.75 / 4) (#87)
by Walabio on Fri Sep 05, 2003 at 09:10:39 AM EST

ˇ Macs Rule !


--

ˇSign For Bodily Integrity, With Nobel Laureate Biologists And The Rest Of Us!

ˇImpeach Dubya!

Use Linux and stop annoying the rest of the world (2.00 / 5) (#95)
by jcarr on Sun Sep 07, 2003 at 03:47:58 PM EST

I don't understand why people with Windows even bother complaining about their viruses. It's always going to be that way. I'm sick of hearing about it and trying to update email blacklists because of all you nitwits. Get on the clue train.

Is this Illegal? (3.00 / 1) (#96)
by Kadin2048 on Sun Sep 07, 2003 at 04:11:32 PM EST

I don't have the Wintel expertise to contribute much to the technical side of this discussion (although I do encourage those who do to participate), I do have one question:

Is this illegal?

I don't mean the shutting-down-spammers part, I mean, what the spammers are doing in the first place.

If you ran the "zombie master" computer, what could you be prosecuted for? You could conceivably construct a defense that there is no proof of a link between the construction of the trojan and the operation of the zombie master system (it's a conspiracy, they're setting me up, etc.) that might hold water.

I think we need to have some sort of stiffer punishment for the people at the remote ends of these things (personally, I favor death by dismemberment, but I suppose prison or fines would also work, in deference to the softhearted), but I'm not sure where exactly a crime like this falls under the current U.S. legal framework.

Any thoughts / ideas?

Couple things (4.00 / 1) (#97)
by Miniluv on Wed Sep 10, 2003 at 03:04:33 PM EST

I've seen a few instances where the best claim was theft of bandwidth. But viruses are also prohibited by the good old Computer Fraud and Abuse Act (the one so overcited in the movie Hackers, actually).

There are also a slew of state and local laws in various areas which cover this as well.

"Too much wasabi and you'll be crying like you did at the last ten minutes of The Terminator" - Alton Brown
[ Parent ]

Useful tool (none / 0) (#98)
by gnovos on Wed Sep 10, 2003 at 06:44:13 PM EST

It's useful when doing this kind of work to get Kerio firewall (or a few others I can't remember right now) that will watch all OUTGOING connections, and inform you of the process that is sending the packets.  There may be better tools for this, but for me it works great.

A Haiku: "fuck you fuck you fuck/you fuck you fuck you fuck you/fuck you fuck you snow" - JChen
Thanks for the info. (none / 0) (#99)
by 2bit on Mon Dec 15, 2003 at 01:57:22 AM EST

I do virus/worm/trojan removal for a living. I will look into this further and see if i can get name for this trojan and any info I can dig upf for you.

Hunt for a new trojan | 99 comments (83 topical, 16 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest © 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!